User Tools
This is an old revision of the document!
Table of Contents
Using LetsEncrypt SSL Certificates with Zimbra
https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh
https://github.com/acmesh-official/acme.sh
https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
Install acme.sh
su - mkdir /opt/zimbra/.acme.sh; chown zimbra:zimbra /opt/zimbra/.acme.sh su - zimbra cd /opt/zimbra/.acme.sh wget -O - https://get.acme.sh | sh
Configure for LetsEncrypt
Set defalt CA to LetsEncrypt
su - zimbra cd .acme.sh/ ./acme.sh --set-default-ca --preferred-chain "ISRG" --server letsencrypt
Upgrade acme.sh
./acme.sh --upgrade
View Deployed Certs
Zimbra
/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
acme.sh
./acme.sh --list
Create or Renew Cert
Use the –renew flag for renewals. This will also deploy the updated cert.
acme.sh --issue --dns -d hostname.domain.tld -d san.domain.tld --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
Original Cert Deployment
acme.sh --deploy --deploy-hook zimbra -d hostname.domain.tld -d san.domain.tld
Troubleshooting
See also Zimbra Self-Signed SSL Certs
If a cert is expired, you must reissue a new cert.
If a certificate renewal fails, try reissuing a new cert instead.
If you have trouble reissuing a new cert, recreate and deploy a new self-signed cert to get Zimbra 'working' again. Then re-implement a LetsEncrypt cert.
Old Info
https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
https://github.com/acmesh-official/acme.sh
https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
zimbra@zimbra2:~$ acme.sh –issue –dns -d zimbra2.virtualarchitects.com -d zimbra.virtualarchitects.com
[Wed Nov 10 20:24:04 MST 2021] It seems that you are using dns manual mode. Read this link first: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode zimbra@zimbra2:~$ acme.sh –issue –dns -d zimbra2.virtualarchitects.com -d zimbra.virtualarchitects.com –yes-I-know-dns-manual-mode-enough-go-ahead-please [Wed Nov 10 20:25:27 MST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory [Wed Nov 10 20:25:28 MST 2021] Create account key ok. [Wed Nov 10 20:25:28 MST 2021] Registering account: https://acme-v02.api.letsencrypt.org/directory [Wed Nov 10 20:25:28 MST 2021] Registered [Wed Nov 10 20:25:28 MST 2021] ACCOUNT_THUMBPRINT='5W6wS2ZyBnn-WvlfQU1EUaxVD7ZWsFC91JeXlt4pXJU' [Wed Nov 10 20:25:28 MST 2021] Creating domain key [Wed Nov 10 20:25:28 MST 2021] The domain key is here: /opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.key [Wed Nov 10 20:25:28 MST 2021] Multi domain='DNS:zimbra2.virtualarchitects.com,DNS:zimbra.virtualarchitects.com' [Wed Nov 10 20:25:28 MST 2021] Getting domain auth token for each domain [Wed Nov 10 20:25:29 MST 2021] Getting webroot for domain='zimbra2.virtualarchitects.com' [Wed Nov 10 20:25:30 MST 2021] Getting webroot for domain='zimbra.virtualarchitects.com' [Wed Nov 10 20:25:30 MST 2021] Add the following TXT record: [Wed Nov 10 20:25:30 MST 2021] Domain: '_acme-challenge.zimbra2.virtualarchitects.com' [Wed Nov 10 20:25:30 MST 2021] TXT value: 'jH4x4nro9AlD00jrhOwpkuRXJTptq7WLg02CsgRTt1c' [Wed Nov 10 20:25:30 MST 2021] Please be aware that you prepend _acme-challenge. before your domain [Wed Nov 10 20:25:30 MST 2021] so the resulting subdomain will be: _acme-challenge.zimbra2.virtualarchitects.com [Wed Nov 10 20:25:30 MST 2021] Add the following TXT record: [Wed Nov 10 20:25:30 MST 2021] Domain: '_acme-challenge.zimbra.virtualarchitects.com' [Wed Nov 10 20:25:30 MST 2021] TXT value: 'iz8c7WcRq4XZUYZfyoqRAHONjPmOT2L75c2Iy11o1Uc' [Wed Nov 10 20:25:30 MST 2021] Please be aware that you prepend _acme-challenge. before your domain [Wed Nov 10 20:25:30 MST 2021] so the resulting subdomain will be: _acme-challenge.zimbra.virtualarchitects.com [Wed Nov 10 20:25:30 MST 2021] Please add the TXT records to the domains, and re-run with –renew. [Wed Nov 10 20:25:30 MST 2021] Please add '–debug' or '–log' to check more details. [Wed Nov 10 20:25:30 MST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh zimbra@zimbra2:~$ acme.sh –issue –dns -d zimbra2.virtualarchitects.com -d zimbra.virtualarchitects.com –yes-I-know-dns-manual-mode-enough-go-ahead-please –renew [Wed Nov 10 20:34:57 MST 2021] Renew: 'zimbra2.virtualarchitects.com' [Wed Nov 10 20:34:57 MST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory [Wed Nov 10 20:34:57 MST 2021] Multi domain='DNS:zimbra2.virtualarchitects.com,DNS:zimbra.virtualarchitects.com' [Wed Nov 10 20:34:57 MST 2021] Getting domain auth token for each domain [Wed Nov 10 20:34:57 MST 2021] Verifying: zimbra2.virtualarchitects.com [Wed Nov 10 20:34:58 MST 2021] Pending, The CA is processing your order, please just wait. (1/30) [Wed Nov 10 20:35:00 MST 2021] Success [Wed Nov 10 20:35:00 MST 2021] Verifying: zimbra.virtualarchitects.com [Wed Nov 10 20:35:01 MST 2021] Pending, The CA is processing your order, please just wait. (1/30) [Wed Nov 10 20:35:03 MST 2021] Success [Wed Nov 10 20:35:03 MST 2021] Verify finished, start to sign. [Wed Nov 10 20:35:03 MST 2021] Lets finalize the order. [Wed Nov 10 20:35:03 MST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/276008060/38727234670' [Wed Nov 10 20:35:05 MST 2021] Downloading cert. [Wed Nov 10 20:35:05 MST 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04e623499acb07130eae163ae7b85ec739e3' [Wed Nov 10 20:35:05 MST 2021] Try rel: https://acme-v02.api.letsencrypt.org/acme/cert/04e623499acb07130eae163ae7b85ec739e3/1 [Wed Nov 10 20:35:05 MST 2021] Matched issuer in: https://acme-v02.api.letsencrypt.org/acme/cert/04e623499acb07130eae163ae7b85ec739e3/1 [Wed Nov 10 20:35:05 MST 2021] Cert success. —–BEGIN CERTIFICATE—– MIIFXjCCBEagAwIBAgISBOYjSZrLBxMOrhY657hexznjMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMTExMTEwMjM1MDRaFw0yMjAyMDkwMjM1MDNaMCgxJjAkBgNVBAMT HXppbWJyYTIudmlydHVhbGFyY2hpdGVjdHMuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAuYahvVpEfTwfdN0ywalrml7oJNhJxUX2IofWi0PikOvs QmuUosN0bLYB4ARLiSZ7hM+Sm7oKqf3/7IX5zpXlYCZBjC6+Zv2zjhyGTCnEDa/f FbWO1GaVhMreBqMiXzoTy9D6fHQrfPVUeDF1bMkNaaJRwIzDLvV76P9mjqePnKX9 s5MLjFIEY3R7FbSxgcevm6uJr0cvNL8Bxd+CRWxM3oj7vGhsalcy3Al2aX7Dx+Re G0Icj3Xrxg5Onol87yznT8OhG7rPXBabmgEMmIL6hGokKcDrJ3ZkKtRqHb+Tj8Gj yivtTvuG3HV46SEnwhhByVoewDRffCExU47+auehtQIDAQABo4ICdjCCAnIwDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV HRMBAf8EAjAAMB0GA1UdDgQWBBSFjCrAa7t2+5jG/KHv9R+vR+aXSjAfBgNVHSME GDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB BQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov L3IzLmkubGVuY3Iub3JnLzBGBgNVHREEPzA9ghx6aW1icmEudmlydHVhbGFyY2hp dGVjdHMuY29tgh16aW1icmEyLnZpcnR1YWxhcmNoaXRlY3RzLmNvbTBMBgNVHSAE RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2 AEalVet1+pEgMLWiiWn0830RLEF0vv1JuIWr8vxw/m1HAAABfQ0QL5YAAAQDAEcw RQIgCKpqWqmK9RFe1FgrLZfNt3hcvz0nIRmMTcV9GeFtHesCIQDYeWP7Zu7jKYEu rx3LV8ZsxM3slRUJiRDKdr/MSvqgCgB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEA KQaNsgiaN9kTAAABfQ0QMYwAAAQDAEcwRQIgBj9euaJoExyL0PhAHltebzXKfiEK HPFb02vJkxSFV4wCIQD31pTo6/2jkjbY6Eh7UhfZeFAYmXVZxIefuVcz9+sTAN BgkqhkiG9w0BAQsFAAOCAQEAT/KcOSzu3KwDbXHezkrlc7zZWxH3gS2FVWcKao57 4W7DnvNT6d7qUoCL8sZicfSNFgGBaHt4dzIZuvYCOhiO+eDTVUUzfPHViPuogX8F hk41Abd5ND3N9Ep2tPiefT1YE1f5fjuMQy7RsNmQtSk07ODUR/hvlWJ/T7aRbMj6 rGOTqjXy/xkABMSdOR/1tm7ZvOESr7rjbbknlmir7MW+zbno0MK44DViOLDuKTPF mEqyUPR+yxADn1nOPUS5xpaVXN0jbaF2dXWjrzjE0NMWGa1EkXLwFImz8D106LzH 3ug4SC/Puyf1tr3j0NNHK5s4LBqjatlebz16E3k6P2lXlw== —–END CERTIFICATE—– [Wed Nov 10 20:35:05 MST 2021] Your cert is in: /opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.cer [Wed Nov 10 20:35:05 MST 2021] Your cert key is in: /opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.key [Wed Nov 10 20:35:05 MST 2021] The intermediate CA cert is in: /opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/ca.cer [Wed Nov 10 20:35:05 MST 2021] And the full chain certs is there: /opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/fullchain.cer zimbra@zimbra2:~$ acme.sh –deploy –deploy-hook zimbra -d zimbra2.virtualarchitects.com -d zimbra.virtualarchitects.com zimbra@zimbra2:~$ acme.sh –deploy –deploy-hook zimbra -d zimbra2.virtualarchitects.com -d zimbra.virtualarchitects.com Verifying '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.cer' against '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.key' Certificate '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.cer' and private key '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.key' match. Verifying '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.cer' against '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/ca.cer.real' Valid certificate chain: /opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.cer: OK Verifying '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. Verifying '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.cer' against '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/ca.cer.real' Valid certificate chain: /opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.cer: OK Copying '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/zimbra2.virtualarchitects.com.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' Copying '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/ca.cer.real' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' Appending ca chain '/opt/zimbra/.acme.sh/zimbra2.virtualarchitects.com/ca.cer.real' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' NOTE: restart mailboxd to use the imported certificate. Saving config key 'zimbraSSLCertificate' via zmprov modifyServer zimbra2.virtualarchitects.com…ok Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer zimbra2.virtualarchitects.com…ok Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' Creating keystore '/opt/zimbra/conf/imapd.keystore' Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' Creating keystore '/opt/zimbra/mailboxd/etc/keystore' Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' NOTE: restart services to use the new certificates. Cleaning up 9 files from '/opt/zimbra/conf/ca' Removing /opt/zimbra/conf/ca/d65ba5bf.0 Removing /opt/zimbra/conf/ca/8d33f237.0 Removing /opt/zimbra/conf/ca/commercial_ca_1.crt Removing /opt/zimbra/conf/ca/2e5ac55d.0 Removing /opt/zimbra/conf/ca/4042bcee.0 Removing /opt/zimbra/conf/ca/commercial_ca_3.crt Removing /opt/zimbra/conf/ca/ca.pem Removing /opt/zimbra/conf/ca/ca.key Removing /opt/zimbra/conf/ca/commercial_ca_2.crt Copying CA to /opt/zimbra/conf/ca Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' Creating CA hash symlink 'd65ba5bf.0' → 'ca.pem' Creating /opt/zimbra/conf/ca/commercial_ca_1.crt Creating CA hash symlink 'b88a82fc.0' → 'commercial_ca_1.crt' Creating /opt/zimbra/conf/ca/commercial_ca_2.crt Creating CA hash symlink '8d33f237.0' → 'commercial_ca_2.crt' Creating /opt/zimbra/conf/ca/commercial_ca_3.crt Creating CA hash symlink '4042bcee.0' → 'commercial_ca_3.crt' Host zimbra2.virtualarchitects.com Stopping zmconfigd…Done. Stopping zimlet webapp…Done. Stopping zimbraAdmin webapp…Done. Stopping zimbra webapp…Done. Stopping service webapp…Done. Stopping stats…Done. Stopping mta…Done. Stopping spell…Done. Stopping snmp…Done. Stopping cbpolicyd…Done. Stopping archiving…Done. Stopping opendkim…Done. Stopping amavis…Done. Stopping antivirus…Done. Stopping antispam…Done. Stopping proxy…Done. Stopping memcached…Done. Stopping mailbox…Done. Stopping logger…Done. Stopping dnscache…Done. Stopping ldap…Done. Host zimbra2.virtualarchitects.com Starting ldap…Done. Starting zmconfigd…Done. Starting dnscache…Done. Starting logger…Done. Starting mailbox…Done. Starting memcached…Done. Starting proxy…Done. Starting amavis…Done. Starting antispam…Done. Starting antivirus…Done. Starting opendkim…Done. Starting snmp…Done. Starting spell…Done. Starting mta…Done. Starting stats…Done. Starting service webapp…Done. Starting zimbra webapp…Done. Starting zimbraAdmin webapp…Done. Starting zimlet webapp…Done. [Wed Nov 10 20:48:31 MST 2021] Success
